Overview

overview

10

Static

static

10

nope-1.exe

windows7_x64

10

nope-1.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    07-05-2021 11:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nope-1.exe

  • Size

    152KB

  • MD5

    49e8a6ee9c5dd808767d4753639bb045

  • SHA1

    63739f2feff8d277d53b9af26df46c77d4088cf6

  • SHA256

    9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590

  • SHA512

    8dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

149.28.124.150:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\nope-1.exe
        "C:\Users\Admin\AppData\Local\Temp\nope-1.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1640
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1216
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
            4⤵
              PID:1576
          • C:\ProgramData\images.exe
            "C:\ProgramData\images.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2044

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\images.exe
        MD5

        49e8a6ee9c5dd808767d4753639bb045

        SHA1

        63739f2feff8d277d53b9af26df46c77d4088cf6

        SHA256

        9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590

        SHA512

        8dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06

        Download Submit
      • C:\ProgramData\images.exe
        MD5

        49e8a6ee9c5dd808767d4753639bb045

        SHA1

        63739f2feff8d277d53b9af26df46c77d4088cf6

        SHA256

        9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590

        SHA512

        8dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06

        Download Submit
      • \ProgramData\images.exe
        MD5

        49e8a6ee9c5dd808767d4753639bb045

        SHA1

        63739f2feff8d277d53b9af26df46c77d4088cf6

        SHA256

        9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590

        SHA512

        8dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06

        Download Submit
      • \ProgramData\images.exe
        MD5

        49e8a6ee9c5dd808767d4753639bb045

        SHA1

        63739f2feff8d277d53b9af26df46c77d4088cf6

        SHA256

        9cd6c84ba5aee64aca1a0e7d17839c3974b965efd4ab83cc0d1deb336793f590

        SHA512

        8dc55930a566f6efcc365f8a8498aaf93ff609aa98acdbbaee3a4f9716d3da322615cc0366ffcf14b81fc6196b7f8cde982c8ba4d2df874d046db3060ab9af06

        Download Submit
      • memory/1216-61-0x0000000000000000-mapping.dmp
        Download
      • memory/1576-67-0x0000000000000000-mapping.dmp
        Download
      • memory/1640-60-0x00000000769B1000-0x00000000769B3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2044-64-0x0000000000000000-mapping.dmp
        Download